Comfy FAQ for IT

Comfy is a cloud-based software application that delivers exceptional workplace experiences by enabling people to personalize their workplace environment while providing real-time, actionable insights for digital workplace leaders.

Comfy integrates with existing building systems that use the BACnet/IP protocol to dynamically change their environment based on the need. Comfy ties with the building’s HVAC system to manage zone temperatures based on occupant feedback. A Comfy user can request an immediate 10 minute stream of warm or cool air through the Comfy mobile or desktop application. Comfy communicates with the BMS to moderately adjust that zone’s temperature and airflow. Over time, Comfy learns the preferences of that zone through machine learning and will automatically adjust the temperature range to better meet the needs of the employees throughout the day. Comfy shares these findings through Comfy Insights, a business intelligence dashboard that enables corporate real estate leaders to make data-driven decisions that create better workplaces and optimize their facilities.

Our Security Features

  • Redundant, managed cloud service leveraging Amazon cloud security
  • TLS 1.2/256-bit AES-encrypted transport
  • Multi-factor authentication
  • Comprehensive security program based on the NIST Risk Management Framework
  • Regular third-party penetration testing
  • Automated vulnerability scans

Other relevant documents

Frequently Asked Questions

1. How is Comfy secured from external hacks?

Comfy has different elements, so the best way to describe how Comfy is secure is to describe how each element is secure.  These elements include: The Comfy application, the Comfy Gateway, Comfy in the Cloud, and the network that connects all of these things together. 
 
Application Security: Comfy tests all code for security vulnerabilities and other defects before release, and regularly performs network and application scans for vulnerabilities.
 
The Comfy Gateway: The Comfy Gateway is a gateway box connected to the BMS network. The software on the Gateway is configured with the minimum set of software needed to perform its function, reducing exposure to hacks. The Gateway is connected via SSL to the Comfy cloud. Additionally, the Comfy app and the Comfy server are kept functionally separate in the cloud so the Gateway cannot be hacked via the app.
 
Comfy in the Cloud: Comfy is run on Amazon EC2, which has extensive physical and environmental controls, including redundant power supplies, biometric identification before physical access, and other measures to ensure the security and integrity of their systems. We regularly review their ISO27001 and SOC2 reports to ensure that their security measure align with our commitments to our customers.
 
Network Security
: Customers access Comfy' products over the internet, using industry-standard secure and encrypted connections (TLS 1.0-1.2) using high-grade 2048-bit, SHA-256 certificates. 

2. I’ve heard about the Target breach and I’m worried about someone using Comfy to get into our internal systems. 

Yes, that was a big deal and cost Target millions. The "hack" didn't come through the HVAC software, though, but rather through the compromised laptop of an HVAC service technician. The big lesson learned there was to keep sensitive information secured away from access by a third party service provider, and for the HVAC technician to practice much tighter operational security with devices such as company laptops.

3. Didn't Google Australia have their BMS hacked a few years back?

Yes Google sure did. That incident shined a light on the need for corporate facilities teams to work with their own IT teams to properly secure their BMS platforms. If you rely on a controls contractor to set up a public-facing network connection for ease of remote access, you open your networks up to similar risk. At Comfy, we work with our clients every day to make sure any BMS network penetration is the most secure possible - our methods rely on years of cybersecurity research and constant testing of protocols.

4. My IT team has a 100 questions about security. Have you been pen tested? Does the gateway device run antivirus? What else runs on the stack? 

These are all great questions. We have been pen tested. We are happy to walk through any questions your IT team(s) may have, any time! You can read more about our security standards in place in our security deep dive.

5. What about data? What do you do with it? Is my legal team going to worry about what you’re collecting?

We only collect what is necessary to run Comfy and follow best practices in data management. The data we collect and how it is managed can be found on our website in our security deep dive as well as our privacy policy.

6. What impact will this have on our network? Is it going to add a lot of traffic and slow things down?

Impacts on your network will be minimal. Comfy merges BACnet commands to reduce impacts, and they are small to begin with. It is also possible to configure how often Comfy reads BACnet points to further reduce traffic. 

7. How can users access the app?

Comfy can be accessed via web browser and/or mobile app (Android and iOS).

8. Which Browsers does Comfy support?

Comfy supports IE11, Edge, Chrome, Safari, including the mobile versions of these, as well as having Android and iOS apps.